So there are 2 possible explanations:

1) you stored the 2fa priv key in the same device where your priv key was sitting, it is highly discouraged!
2) somebody stole your tokens by physical access to your devices
3) the whole story is a bait, not sure what's the purpose